Re: EAP-TLS and OS X clients

[Jaap Winius]

Quoting a.l.m.bu...@lboro.ac.uk:


SSL certs can be in various formats. Ones that are 'usable'
depends on the underlying code, but the useful types are
usually PEM, DER (also known as CER) and P12these are
all active certs. CSR is a certificate signing request file
and isn't a valid cert for client use. ... On OSX you need
to ensure you have the CA installed - and TRUSTED!


Thanks, Alan. That straightened some things out for me.

Eventually, though, it turned out that the most important issue was  
with OS X 10.7 (Lion). With this particular version of Apple's OS, the  
facility for adding enterprise network configurations is not as  
flexible as it once was. Now, if something different is required, a  
special (free) tool must first be obtained -- the iPhone Configuration  
Utility -- with which to create an XML profile that can then be  
applied. Not exactly what I was expecting, but that's the way it is.  
For anyone who might be interested, here's the set of instructions  
that I used:




If your school uses TTLS with PAP (LDAP backend) then yah, the auto  
connection with ethernet will not help you. That is because the  
default EAP type that is supported is TTLS MSCHAPv2 (which is a bit  
more secure that PAP --ya ya, I know it is not fool proof).


Anyway, all is not lost.

You have three choices on how to get an 802.1X profie that supports  
TTLS with PAP onto your Mac.

1. Download iPCU and create a .mobileconfig file
2. Buy Lion server and use Profile Manager
3. Create a .mobileconfig (xml file) from scratch

Options 2 and 3 are kind of a pain in the rear, so let's stick with option 1.

Please put on your learning hat now

**Please note this example is for a wired OR wireless 802.1X  
connection that requires TTLS and PAP for Lion clients**


1. Download and install the iPCUhttp://support.apple.com/kb/DL851
2. Open the iPCU (the iPCU is install in Applications - Utilities)
3. In the right hand side click on Configuration Profiles.
4. Click on New. (upper left)
5. You will see a new profile with a bunch of payloads (general,  
passcode, restrictions, etc). Don't worry you do not need to fill most  
of these out.
6. Click on General and fill out a Profile Name, Identifier (they can  
be anything) the rest of the fields you can leave blank. I used spam  
and spam.
7. Now click on WiFi. Do be scared here. Lion can use WiFi profiles  
for Ethernet (it will just ignore the SSID field). Click configure.
7a. For SSID ..If your school has a wireless network that uses TTLS  
with PAP, fill in the SSID name (wireless network name) that your  
school uses. If your school does not use wireless, then just use an  
label (e.g. spam).
7b. Ignore the hidden network field (unless of course your school uses  
a hidden SSID and you want to use wireless for this connection).
7c. Security Type ..Again if this is for Ethernet, just use WPA/WPA2  
Enterprise. If this profile is going to be used for WiFi, then you  
need to find out what type of security your school uses. Most likely  
it will be WPA/WPA2 Enterprise (I hope).
7d. Once you choose WPA/WPA2 Enterprise you will see more options  
appear. Choose TTLS.

7e. Ignore EAP-FAST settings. Leave all boxes unchecked for EAP-FAST.
7f. For Inner Authentication choose PAP.
8. You will see three tabs, one for protocol (that you already filled  
out), one for Authentication and one for Trust. You can ignore trust  
unless you have the certificate from the radius server already loaded  
on your client. Don't worry if you do not have the cert, the Mac will  
load it (with your permission) during the first authentication. Ignore  
the Authentication tab for now.

9. Now look at the top left of the tool and choose Export
9a. for Security, just choose none (don't worry about signing it)
9b. Hit Export.
10. You will get a Save As dialogue box. Give the profile a name (like  
spam  or something) and choose where you would like to save the profile.
11. Now goto where you save your profile and double click it. System  
Prefs will launch and try to install the profile.

11a. Just hit continue and continue again.
11b. You will be prompted for settings which are the username and  
password. You can either just hit install (the eapol supplicant will  
ask you for your credentials during the authentication phase) or you  
can fill them out now. BE SURE TO INPUT THE CORRECT INFORMATION.  
If you insert a bad username or password into this field, it will get  
saved as a keychain entry (with bad info) and you will never be able  
to connect. The Mac will just silently fail authentication until you  
delete the keychain entry and do a fresh auth. Save yourself some  
trouble and leave the fields blank and just hit install.

11c. You will be prompted for your admin password to install the profile.
12. The profile should be installed now.
13. In system prefs, click show all then click network.
14. If you click on your Ethernet interface you should now 

Re: EAP-TLS and OS X clients

[A . L . M . Buxey]

Hi,

 Eventually, though, it turned out that the most important issue was
 with OS X 10.7 (Lion). With this particular version of Apple's OS,

yes, I know. Apple suck for doing this.  I manage campus network at
Loughborough university and eduroam federation in the UK
and so am well aware of OSX and their idea of making OSX have the
same .mobileconfig method as iOS.

you might want to look into 'eduroam CAT' tool - as your NREN
federation/eduroam people about it.


whoa re your instructions aimed at? I worry a great deal about them
because you arent telling them to install/verify a CA or a RADIUS server
for the connection (thus basically negating the whole point of PKI!)
and the site might use EAP-FAST (some places actually do more than
just EAP-TTLS).  also, end users dont need to run this tool! you
(the admin) so all the hard work of configuring the profile and
then just provide the end user/customer the *SIGNED* mobileconfig file

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS and OS X clients

[Jaap Winius]

Quoting a.l.m.bu...@lboro.ac.uk:


you might want to look into 'eduroam CAT' tool - as your NREN
federation/eduroam people about it.


Thanks very much! I'll look into it.


whoa re your instructions aimed at? I worry a great deal about them
because you arent telling them to install/verify a CA or a RADIUS server
for the connection (thus basically negating the whole point of PKI!)
and the site might use EAP-FAST (some places actually do more than
just EAP-TTLS).  also, end users dont need to run this tool! you
(the admin) so all the hard work of configuring the profile and
then just provide the end user/customer the *SIGNED* mobileconfig file


Oh, hey, I thought I was just sharing this information with a bunch of  
lazy sysadmins, some of whom might be interested to know how I  
eventually managed to connect OS X 10.7 (Lion) hosts to my wifi network.


As I mentioned in my previous post, I did not author those  
instructions. I'm also not in the habit of re-posting information  
written by others, but although they may not be perfect, I thought  
they were helpful and then suddenly became worried that Apple might  
make them disappear at one point or another (it wasn't exactly easy  
information to find).


Moreover, I explained that I was using a WPA2-Enterprise configuration  
with Freeradius 2.1.0, EAP-TLS and 4096-bit SHA-1 in my first post in  
this thread on Sunday 17 Feb.


Cheers,

Jaap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS and OS X clients

[Jaap Winius]

Hi folks,

My WPA2-Enterprise configuration with Freeradius 2.1.0, EAP-TLS and  
4096-bit SHA-1 certificates works great with wpaspplicant on Linux,  
but can anyone help me understand how to get this to work for OS X  
(Lion) clients?


My Linux client uses a copy of the ca.pem file to establish the link  
(after which PAP is used to authenticate), but although the same  
ca.pem file can be imported into the OS X client's keychain, this  
certificate never shows up as a selectable identity when configuring  
EAP-TLS wireless access, like in this case (bottom of the page):


https://wiki.thayer.dartmouth.edu/display/computing/Configuring+an+OS+X+Mac+for+the+Dartmouth+Secure+Wireless+Network

In this example, the users are given a personalized *.cer certificate  
to add to their keychain. Since I don't have any client.cer files, I  
tried this approach with a client.csr file instead, which seemed  
personalized enough, but still I run into the same roadblock.


Can anyone say what I should be doing differently? E.g. are *.cer  
certificates mandatory (if so, how can I make them?), or can I not use  
my self-signed certificates?


Thanks,

Jaap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS and OS X clients

[Alan DeKok]

Jaap Winius wrote:
 Can anyone say what I should be doing differently? E.g. are *.cer
 certificates mandatory (if so, how can I make them?), or can I not use
 my self-signed certificates?

  I'm always use pem or crt files, not *.cer.  It works on my Mac.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS and OS X clients

[A . L . M . Buxey]

Hi,

 https://wiki.thayer.dartmouth.edu/display/computing/Configuring+an+OS+X+Mac+for+the+Dartmouth+Secure+Wireless+Network
 
 In this example, the users are given a personalized *.cer
 certificate to add to their keychain. Since I don't have any
 client.cer files, I tried this approach with a client.csr file
 instead, which seemed personalized enough, but still I run into the
 same roadblock.
 
 Can anyone say what I should be doing differently? E.g. are *.cer
 certificates mandatory (if so, how can I make them?), or can I not
 use my self-signed certificates?

rightSSL cerst can be in various formats.  ones that are 'usable' depends
on the underlying codebut the useful types are usually PEM, DER (also known 
as
CER) and P12these are all active certs

CSR is a certificate signing request file and isnt a valid cert for client use.


if you have one type you can easily convert it to any of the other formats
using 'openssl' on the command line of a Linux or OSX system - the command 
format
isnt trivial...but its fairly obvious, the man pages over it and there are MANY
web pages out there telling you how to do it.

under Linux, most of the network admin tools for WPA2/WPA enterprise are fairly 
limited
and fussy about certificates, how and where they are installed...on OSX you 
need to ensure
you have the CA installed - and TRUSTED!

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html